- Checkmarx Documentation
- Checkmarx One
- Release Notes
- Previous Multi-Tenant Releases
- Version 3.24
Version 3.24
Multi-Tenant release date: October 28, 2024
Warning
The content and dates of these Release Notes are provisional and subject to change.
All new features, enhancements, and resolved issues will be available upon version deployment in the multi-tenant environment unless explicitly stated otherwise in the respective section's sub-heading.
Maintenance releases
Note
This table includes only the maintenance releases that addressed customer-facing issues. Maintenance releases that contained only internal enhancements are not listed.
Release number | Resolved issues |
---|---|
3.24.5 | Pip resolution had not been showing partial results when using fallback. |
New features and enhancements
Filter by Vulnerability Severity
The Filter by Vulnerability Severity feature in the Analytics module allows users to filter vulnerabilities detected across all projects within the Checkmarx One platform based on their severity. Users can choose from severity levels such as Critical, High, Medium, and Low, providing a clear view of the most critical vulnerabilities.
Enhanced Result Retention for BYOR (Bring Your Own Results)
Previously, the BYOR feature retained only the most recent results per provider, discarding historical data. This limitation made it challenging for users to effectively triage, compare results over time, track vulnerability progress, and analyze remediation trends.
To resolve this, we now retain the full history of imported results per provider (tool name), allowing for more comprehensive tracking and analysis.
Triaging Capabilities in BYOR
We have integrated triaging capabilities into the BYOR (Bring Your Own Results) feature. This enhancement enables users to categorize, prioritize, and manage vulnerabilities based on severity, risk, and other relevant metrics. As a result, users can focus on addressing the most critical vulnerabilities first, ensuring a more effective security posture.
Dynamic Scan Tagging for Code Repository Imports
Customers can now dynamically set scan tags when performing scans through Code Repository imports during Pull Request and Push Webhook events. This feature enhances the flexibility and organization of scan results, allowing for better categorization and tracking of vulnerabilities.
Manual Network Exposure Configuration for Cloud Insights
Complex network architectures - such as those using CDNs, WAFs, and reverse proxies - make it challenging to automatically determine network exposure for each container image in various use cases. To address this, we have enabled customers to manually specify whether each container image is publicly exposed.
This enhancement allows customers to provide network exposure runtime data more easily, eliminating the need for us to develop automatic support for every potential use case.
Enhanced Scan Triggering for Cloud Insights
We have improved Cloud Insights by allowing users to trigger manual scans in addition to the existing automated scans that occur every 24 hours. This enhancement enables customers to initiate scans whenever there are changes to assets in the production environment or modifications in network exposure.
Expanded Attack Path Graph in Cloud Insights
The Cloud Insights Attack Path graph now provides a more holistic view for container images marked as publicly exposed. Users can access these comprehensive results in the left side panel, allowing for a more thorough understanding of vulnerabilities and security risks associated with their container images.
Editing project tags
Users are now able to edit project tags, instead of just deleting them. This significantly enhances the user experience, especially for those transitioning from SAST. This feature is particularly valuable for users with large tags, as it eliminates the need to manually recreate them and reduces the chance of errors. It provides flexibility and familiarity, enhancing efficiency and streamlining workflow.
Enhanced Developer Contribution Tracking
We have addressed the gap in critical information needed to accurately count contributing developers and display this data to our customers. By integrating a new gRPC call, we can now retrieve this information directly from the integrations team responsible for the imported repositories. This enhancement enables us to provide customers with accurate and comprehensive data on developer contributions.
Data Retention Improvement: Scan Locking Feature
During the implementation of Data Retention, we identified the absence of a mechanism to exclude specific scans from deletion. To address this, we have introduced a new feature that allows users to mark certain scans as "locked." This ensures that important scan data is not subjected to automated purging, providing users with better control over their critical information.
Updated Permissions for Risk Management
We have revised the existing permissions in the Risk Management module to enhance clarity and functionality. The previous permission structure, which combined viewing the top 10 most risky applications and the Risk Management tab, has been split into two separate permissions:
view-risk-management-dashboard: Allows users to view the top 10 most risky applications.
view-risk-management-tab: Grants access to view the content within the Risk Management tab.
The update-risk-management permission remains unchanged, enabling users to edit the table in the tab.
Additionally, the view-risk-management permission will be removed to streamline access and improve user experience.
Improving Risk Management Consistency
The current risk management approach lacks consistency compared to the established method for SAST results, where clicking a result opens a tab in the same table. This inconsistency hampers the efficiency of risk assessments and limits access to partial MFE results.
To address this, we are implementing a new tab for displaying result views, providing a centralized location for users to access crucial risk management data clearly and organized. This enhancement will improve visibility and accessibility, leading to quicker analysis and more informed decision-making.
Note
Users must perform a re-scan of their projects with SCA results for these changes to work properly.
SCA Updates
SCA Auto Pull Request
For Code Repository Integration projects, we now support automatically submitting a pull request to remediate SCA vulnerabilities. The PR updates the package versions specified in your manifest file with remediated versions of those packages based on Checkmarx's recommendations. This feature is supported for all supported SCMs (GitHub, GitLab, Bitbucket and Azure DevOps).
This feature can be activated on the project level by turning on the SCA Auto Pull Request toggle in the project settings.
Limitations
Currently supported only for npm
package.json
manifest files.
Improving Clarity in SCA Risk Results
SCA results in application risk management often lack clarity due to the use of generic framework names, requiring users to invest additional effort to understand the associated risks.
By renaming framework types with specific SCA conventions, we can provide clearer and more meaningful risk classifications. This enhancement improves the user experience and boosts productivity by making the SCA risk results easier to interpret.
SCA Proper Names in Vulnerability Column
We have enhanced the display of SCA results in application risk management by replacing generic CVE or internal numbers with clear, descriptive naming conventions. This update provides users with more meaningful and understandable risk classifications, reducing the need for further investigation.
Resolved issues
Unable to generate PDF/CSV reports.
Changing the vulnerability state to something other than what was indicated in the last scan of the project resulted in the error "Failed to set need for recalculation."
Inconsistency between the results state in Analytics and the vulnerability state in the Project.
In a container scan, if a package was identified as malicious, there were no available details about the malicious package, which prevented any triage.
Infinite scans loop when GitLab Webhook had parameters:
merge_status
ascannot_be_merged
anddetailed_merge_status
asconflict
.Incorrect values were displayed on the graph Vulnerability Density in Analytics > Executive Overview.
Failed to generate the Analytics report when using the Add By Tags option.
Ubuntu: Latest docker file scanning results with 5 false negatives.
A user without view queries permissions, could still open and view the query editor.
When generating the Open Vulnerabilities Report for multiple applications, the process failed and returned the error message: “failed to generate the report report_id.pdf.”
Unable to see the full group names for longer entries.
Contributing Developers count didn’t match the CSV file that should represent it.
Report ignored vulnerabilities that were not marked as ignored.
Unable to generate a Project report.
Scan report should change its result link to the new viewer format.
Grouping by state in Result Viewer filtered incorrectly.
In repository projects, when only one branch existed, users could not select this branch from the dropdown menu, nor could they verify or set it as the primary branch.
New Result Viewer was failing to open for specific result, with "Something went wrong" error message on the UI.
Docker Hub rate limit was exceeded.
UI detected a package version that did not match the scanned dependency file.
Add retry to publish messages (distributed package) - JASPER SERVICES.
Wrong version of scikit-learn python package reported.
Scans got stuck during package usage calculation.
Viewing SCA results from the Scanners page returned a 400 error.
API results were not retrieving all the information from the ExploitablePath.